Arab Security Consultants

  • Home
  • Courses
    • EC-Council Programs
    • EC-Council iWeek Courses
    • PECB
      • ISO/IEC 27001 Lead Implementer
      • ISO/IEC 27001 Lead Auditor
    • Cyber Book
  • Organized Events
    • Arab Security Conference
    • Arab Security Cyber WarGames
  • Services
    • CodeRed
    • OhPhish
    • Risk Assessment
    • Social Engineering
    • Identity & Access Security
    • Vulnerability Assessment
    • Penetration Testing
  • Training centers
  • EC-Council with ASC
  • News
  • Contact Us
  • Home
  • News
  • Python-Based Malware Powers RansomHub Ransomware to Exploit Network Flaws

Python-Based Malware Powers RansomHub Ransomware to Exploit Network Flaws

Python-Based Malware Powers RansomHub Ransomware to Exploit Network Flaws

by Ayman Hamam / Tuesday, 21 January 2025 / Published in News

Cybersecurity researchers have detailed an attack that involved a threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints and then leveraged this access to deploy the RansomHub ransomware throughout the target network.

According to GuidePoint Security, initial access is said to have been facilitated by means of a JavaScript malware downloaded named SocGholish (aka FakeUpdates), which is known to be distributed via drive-by campaigns that trick unsuspecting users into downloading bogus web browser updates.

Such attacks commonly involve the use of legitimate-but-infected websites that victims are redirected to from search engine results using black hat Search Engine Optimization (SEO) techniques. Upon execution, SocGholish establishes contact with an attacker-controlled server to retrieve secondary payloads.

As recently as last year, SocGholish campaigns have targeted WordPress sites relying on outdated versions of popular SEO plugins such as Yoast (CVE-2024-4984, CVSS score: 6.4) and Rank Math PRO (CVE-2024-3665, CVSS score: 6.4) for initial access.

In the incident investigated by GuidePoint Security, the Python backdoor was found to be dropped about 20 minutes after the initial infection via SocGholish. The threat actor then proceeded to deliver the backdoor to other machines located in the same network during lateral movement via RDP sessions.

“Functionally, the script is a reverse proxy that connects to a hard-coded IP address. Once the script has passed the initial command-and-control (C2) handshake, it establishes a tunnel that is heavily based on the SOCKS5 protocol,” security researcher Andrew Nelson said.

“This tunnel allows the threat actor to move laterally in the compromised network using the victim system as a proxy.”

The Python script, an earlier version of which was documented by ReliaQuest in February 2024, has been detected in the wild since early December 2023, while undergoing “surface-level changes” that are aimed at improving the obfuscation methods used to to avoid detection.

GuidePoint also noted that the decoded script is both polished and well-written, indicating that the malware author is either meticulous about maintaining a highly readable and testable Python code or is relying on artificial intelligence (AI) tools to assist with the coding task.

“With the exception of local variable obfuscation, the code is broken down into distinct classes with highly descriptive method names and variables,” Nelson added. “Each method also has a high degree of error handling and verbose debug messages.”

The Python-based backdoor is far from the only precursor detected in ransomware attacks. As highlighted by Halcyon earlier this month, some of the other tools deployed prior to ransomware deployment include those responsible for –

  • Disabling Endpoint Detection and Response (EDR) solutions using EDRSilencer and Backstab
  • Stealing credentials using LaZagne
  • Compromising email accounts by brute-forcing credentials using MailBruter
  • Maintaining stealthy access and delivering additional payloads using Sirefef and Mediyes

Ransomware campaigns have also been observed targeting Amazon S3 buckets by leveraging Amazon Web Services’ Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt victim data. The activity has been attributed to a threat actor dubbed Codefinger.

Besides preventing recovery without their generated key, the attacks employ urgent ransom tactics wherein the files are marked for deletion within seven days via the S3 Object Lifecycle Management API to pressurize victims into paying up.

“Threat actor Codefinger abuses publicly disclosed AWS keys with permissions to write and read S3 objects,” Halcyon said. “By utilizing AWS native services, they achieve encryption in a way that is both secure and unrecoverable without their cooperation.”

The development comes as SlashNext said it has witnessed a surge in “rapid-fire” phishing campaigns mimicking the Black Basta ransomware crew’s email bombing technique to flood victims’ inboxes with over 1,100 legitimate messages related to newsletters or payment notices.

“Then, when people feel overwhelmed, the attackers swoop in via phone calls or Microsoft Teams messages, posing as company tech support with a simple fix,” the company said.

“They speak with confidence to gain trust, directing users to install remote-access software like TeamViewer or AnyDesk. Once that software is on a device, attackers slip in quietly. From there, they can spread harmful programs or sneak into other areas of the network, clearing a path straight to sensitive data.”

  • Tweet
Tagged under: Arab Security Consultants, ASC, AWS S3 ransomware, Black Basta techniques, C2 tunnel, Codefinger threat actor, Cybersecurity Threats, EDRSilencer, endpoint detection bypass, Lateral Movement, network compromise, phishing campaigns, ransomware attacks, ransomware deployment, SocGholish malware, tags ChatGPT said: ChatGPT Python-based backdoor

What you can read next

There are 85% of ransom payments going to affiliates from Qilin Ransomware
Open Source Antivirus Software ClamAV Detected with Critical RCE Vulnerability
Southeast Asian governments are being targeted by Sharp Panda’s new Soul Framework version

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • Home
  • Contact Us
  • Services
  • Training Centers
  • GET SOCIAL

Arab Security Consultants | Copyright © 2023 All rights reserved.

TOP